Direct object reference

This category is the same as the one stated in the Owasp Top 10 project. It refers to the attacker's capability to interact with application internals supplying an ad hoc crafted parameter.

The families contained in this category are:

Direct object reference

Direct reference to database data

Direct reference to filesystem

Direct reference to memory

Resource usage

This category is related to all the unsafe ways a source code can request operating system managed resources. Most of the vulnerability families contained here, if exploited, will result in a some kind of denial of service.

Resources can be:

filesystem objects

memory

CPU

network bandwidth

The families included are:
Resource usage

Insecure file creation

Insecure file modifying

Insecure file deletion

Race condition

Memory leak

Unsafe process creation

API usage

This section is about APIs provided by the system or by the framework in use that can be used in a malicious way. In this category you can find:

insecure database calls

insecure random number creation

improper memory management calls

insecure HTTP session handling

insecure strings manipulation

Best practices violation

This category is about all miscellaneous security violations that don’t fit in the previous categories. Most, but not all, of these contain warning-only source code best practices.
This category includes:

insecure memory pointer usage

NULL pointer dereference

pointer arithmetic

variable aliasing

unsafe variable initialization

missing comments and source code documentation

Weak Session Management

Not invalidating session upon an error occurring

Not checking for valid sessions upon HTTP request

Not issuing a new session upon successful authentication

Passing cookies over non SSL connections (no secure flag)

Using HTTP GET query strings

Payload data is logged if contained in query strings. This information can be logged in all nodes between client/browser and server. Passing sensitive information using a query string and HTTP GET is a mortal sin. SSL does not even protect you here.